Krebs on Security

In-depth security news and investigation

Tax Fraud Advice, Straight from the Scammers

Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post.

One outspoken and unrepentant tax fraudster — a ne’er-do-well using the screen name “Peleus” — reported that he had far more luck filing phony returns at the state level last year. Peleus posted the following experience to a popular fraud forum in February 2014:

“Just wanted to share a bit of my results to see if everyone is doing so bad or it just me…Federal this year has been a pain in the ass. I have about 35 applications made for federal with only 2 paid refunds…I started early in January (15-20) on TT [TurboTax] and HR [H&R Block] and made about 35 applications on Federal and State..My stats are as follows:

State: 35 apps – 15 approved (average per return $1600). State works just as great as last year, their approval rate is nearly 50% and processing time no more than 10 – 12 days.

I know that the IRS has new check filters this year but federals suck big time this year, i only got 2 refunds approved from 35 applications …all my federals are between $2300 – $2600 which is the average refund amount in the US so i wouldn’t raise any flags…I also put a small yearly salary like 25-30k….All this precautions and my results still suck big time compared to last year when i had like 30%- 35% approval rate …what the fuck changed this year? Do they check the EIN from last year’s return so you need his real employer information?”

A seasoned tax return fraudster discusses strategy.

Several seasoned members of this fraud forum responded that the IRS had indeed become more strict in validating whether the W2 information supplied by the filer had the proper Employer Identification Number (EIN), a unique tax ID number assigned to each company. The fraudsters then proceeded to discuss various ways to mine social networking sites like LinkedIn for victims’ employer information.

GET YER EINs HERE

A sidebar is probably in order here. EINs are not exactly state secrets. Public companies publish their EINs on the first page of their annual 10-K filings with the Securities and Exchange Commission. Still, EINs for millions of small companies here in the United States are not so easy to find, and many small business owners probably treat this information as confidential.

Nevertheless, a number of organizations specialize in selling access to EINs. One of the biggest is Dun & Bradstreet, which, as I detailed in a 2013 exposé, Data Broker Giants Hacked by ID Theft Service, was compromised for six months by a service selling Social Security numbers and other data to identity thieves like Peleus.

Last year, I heard from a source close to the investigation into the Dun & Bradstreet breach who said the thieves responsible made off with more than six million EINs. In December 2014, I asked Dun &Bradstreet about the veracity of this claim, and received a blanket statement that did not address the six million figure, but stressed that EINs are not personally identifiable information and are available to the public.

THE PREPAID MESS

By May of 2014, Peleus reported that he’d more or less worked out the best ways to avoid the IRS’s fraud filters, and was finding great success at the state level. The key, he said, was having the bogus refund sent to a unique prepaid debit card account for each filing. In this case, he found success with Green Dot — a widely-used prepaid card.

“The season is over, and my stats improved A LOT once I used one Greendot for one refund, instead of 1 checking account for 10 refunds,” he wrote.

The prepaid card industry has been an indispensable tool of tax fraudsters for several years, and remains one of the favorite means of cashing out phony refunds — as well as the proceeds from a broad range of other cybercrime activity.

At a March 12, 2015 hearing on the tax refund fraud epidemic, Utah State Tax Commission Chairman John Valentine told the U.S. Senate Finance Committee that all of the suspicious returns it has seen so far this year had the direct deposit information changed from the previous year’s bank account to prepaid debit cards — often Green Dot brand debit cards.

“Once the funds are transferred to such cards, they cannot easily be traced or recovered, a perfect vehicle to commit fraud,” Valentine told the panel. “Prepaid debit cards appear to be preferable to fraudsters because the identity thief doesn’t have to bother with banks, credit unions or check-cashing stores that may become suspicious when one person starts bringing in multiple tax refund checks to be cashed or deposited.”

Valentine said one problem his state ran into when trying to isolate filings involving prepaid cards was that there is currently no uniformity in numbering that distinguishes traditional checking and savings accounts from prepaid debit cards.

“For example, a prepaid reloadable debit card sold by Green Dot appears to be linked to a bank account even though the debit card had no actual checking or savings account associated with it,” he said in his prepared remarks (PDF). “A simple fix would be to require a different series, letter or additional numbers to distinguish these cards from cards connected to bank or credit union checking and savings accounts.”

SAFE MONEY & FREQUENT FILERS

Judging from his fraud forum postings, our tax scammer Peleus was having more luck filing bogus refund requests with both the IRS and the states in this year’s tax season, which appears to have started in mid- to late January for phony filers.

Peleus’ 2015 tax tips for fellow fraudsters center around which payment instruments and banks to use and which to avoid like the plague. Peleus said prepaids are great, but getting your phony refunds deposited in a Suntrust account remains the safest option, while certain banks — particularly Wells Fargo — are to be avoided like the plague.

“Wells Fargo is old news and sucks big time,” Peleus wrote in a January 14, 2015 post. “It is one of the strictest banks and I do not recommend it. Try and get Suntrust. If Suntrust works like last year, you should have 5-7 refunds per account easy. They don’t seem to give a fuck.”

Peleus and other fraudsters continue to report strong success filing phony tax refund requests through TurboTax, the largest of the online tax preparation services — with nearly 30 million customers. Peleus urges like-minded crooks to consider asking TurboTax to credit the fraudulent refund amount as an Amazon gift code, which is apparently all the rage this year:

“You don’t even need your own bank accounts, you can use company checking accounts from Google or checking accounts from your older spam,” Peleus enthuses. “Basically, you need just an email to receive the Amazon code. Sure, it’s hard to sell it on eBay or Craigslist, but it works and they never get blocked, so it’s safe money.”

[In case you missed my recent series on how lax security and adherence to “know-your-customer” basics at TurboTax has contributed to the tax fraud epidemic, check out these stories.]

While the states and the IRS are becoming more vigilant about filtering out phony refund requests, the fraudsters are clearly responding by upping the volume of bogus filings. At least, that’s according to our virtual Virgil of the tax underworld:

“People, the secret still stays in numbers, so file as many applications as you can,” Peleus advises his fraudster friends. “No matter how accurate your tax info is, if you fly under the radar with small refunds (e.g. the average US refund was $2400 last year) you will be making money. Stop asking for $9k per refund you should make 3 of 3k, more refunds is better. Next year it will be harder I am sure, but we will all be smarter and fewer.”

ANALYSIS

Given the amount of cyber fraud that is committed with the help of the anonymity afforded to prepaid card users, the Utah State Tax Commissioner’s suggestion about requiring a unique identifier for prepaid card account numbers seems like a sound one. Certainly, the prepaid card and tax preparation industries can up their game. As I’ve noted in previous stories, both industries probably need more encouragement from federal lawmakers and/or regulators to proactively institute more robust and effective “know-your-customer” policies.

Even so, tax refund fraud is a complex problem, with many core weaknesses contributing to the overall epidemic. Not least of which is that the IRS is required to process refund requests within a very short period of receiving the filing. Very often, the IRS has to make this decision even before companies finish sending out W2 information.

In an August 2014 report to Congress on the tax refund fraud epidemic, the Government Accountability Office said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

Update, Mar. 26, 4:56 p.m. ET: A previous version of this story incorrectly stated that Green Dot was managed by GE Money Bank. The latter sold part of its pre-praid business (Wal-Mart Money Card) to Green Dot back in 2013.

41 comments

A colleague of mine recently received in the mail a Green Dot card. Her investigation revealed that she was the victim of a fraudulent tax return filed in her name. How does the scam work sending a Green Dot card to the victim’s address? Do they simply wait and hope the victim activates the card, and then they drain the card remotely?

That seems like a mistake by a fraudster. I’d think the typical way to do it would be to buy a prepaid debit card at a brick & mortar POS location, using cash. Then direct funds to that card since they have possession of it.

I’m glad the IRS is getting better at detecting fraud, but the billions of dollars getting through is still staggering. I hope they open up their Electronic Filing PIN for anyone’s voluntary use next year. At least that way I could feel like I was doing my part in this battle.

Replying to myself, but I just saw that on the IRS Electronic Filing PIN page, it no longer lists the “previously a fraud victim” requirements in the eligibility section. So hopefully that means we can voluntarily use it next year!

The E-Filing PIN provides no more protection against ID theft than using the previous year’s AGI, since the ID thief can easily get it from the web site you linked using information that is required anyway for filing the fraudulent return.

You are probably thinking of the ID theft protection PIN, which is a different PIN. It is still only available to ID theft victims, unless you live in one of the few states where they are running a pilot project:

Yeah, that “self selected PIN” never made any sense to me. The Electronic Filing PIN is different, since it has to match the value recorded on IRS’s side in order for the tax return to be successfully filed and processed.

Same exact thing happened to my parents this year. They got a card from Green Dot and a week later found a refund had processed for one of them. I’ll have to check to see if they still have the card and have them check the balance.

The thing is greendot does address verification so fraudster has to send to the real owner’s address and hope that the owner doesnt activate (Which of course wont happen, the owner never activates). He then goes ahead to spend the temp card at big box stores to buy apple items. Thats why you get those in the mail.

On the use of debit cards for tax returns, for SS monthly checks; ect., the government knows they are very susceptible to fraud but they still insist on using them. It just doesn’t make any logical sense. They tried to force me to sign up for one but I repeatedly refused and they finally left me alone. I knew trying to get reimbursed for a stolen debit card could only be an experience of utter frustration.

In order to find out if someone had fraudulently obtained a STATE tax refund in your name, would that require you to check with all states (who have an income tax) individually or is that info obtainable in some central location (such as from the IRS)?

I think the state and federal governments should establish a fine for fraudulently filed returns. If TurboTax and the like had a disincentive to allow fraudulent returns to be filed (a fine for each fraudulent return they e-file), they would be more willing to make investments in fraud prevention. Today, they have very little incentive to increase security.

The suggestion to improve the security at the bank transfer level is valid, but why only invest in securing the back door, when the front door is wide open?

But, who would be liable for the fine on the filing? The mom and pop who filed or do you mean, the business who processed the transaction? Or the fraudelant bad guy, who never gets caught? The bad guys seem to hide so effectively under the limit of it costs too much to prosecute them, that its not worth it, but they ruin the lives of so many, so it would be up to mom and pop to pay the fine, unfortunately.

Bart – It’s not about how you file as it has no affect, the fraudsters are filing for you and convincing the IRS/State they are legit, getting the bogus return as the numbers they file are made up and run. Then you have to unravel the mess they make when you try to file for real. The only real defense for us is to try and beat them to the punch and file first.

The crooks self report your income, and withholding, and deductibles. — all imaginary.

The IRS won’t receive / correlate your employer reported pay until long after they were obligated to send out the refund. The IRS doesn’t seem to do much correlation between your previous years filing and your current filing either. (Unfortunately, you aren’t required to have the same employment details year after year, so they can’t use that as a check, and most other details are either public domain or leaked five times this year.)

Well, at least that’s what historical fraud indicates.

This year, it sounds like the fraudsters are having more success with similar scams against individual states’ IRS analogs.

The IRS does not have the resources to process all paper tax returns anymore. Service centers were downsized due to the increase in streamline e filing. The IRS should increase the time for processing so that they can verify income from w-2’s before sending refunds.

As others have indicated in previous posts, what you’re *supposed* to get back is of no consequence. The numbers entered are bogus. There is no (or very little) cross-referencing being done by state and/or feds. The return amount is fictitious. The refund amount is NOT.

But, if you aren’t supposed to get anything back. then you don’t have to battle the IRS to get your own money back from them. file your return, pay the small amount you owe, and you’re done! Getting the bogus refund back is the IRS’s problem, not yours.

It’s not that simple since the IRS will reject your tax return if a fraudulent one has already been filed under your SSN. So you still have the hassle of rectifying the situation (proving that you are you etc.).

I agree with you completely. The IRS and all those that cooperate with it are scammers of the highest degree. These thieves are stealing stolen monies. It is not now, nor has it ever been a legitimate entity.

Now don’t get me wrong, all the poor people of this once great land that are sucked into filing and having their funds stolen should not be further wronged by these hackers. We play their illegal game and they don’t even have the time to protect us? Go figure.

As a small business owner, I try to keep my EIN (nine digits like a SSN but in the form 00-0000000) secret similar to the way I try to keep my checking account number secret. I just did a Google search on EIN numbers similar to mine but didn’t get any hits.

I find it disingenuous of Dun & Bradstreet regarding EIN numbers. Its one thing to go searching for an EIN quite another for a company like D&B aggregating them for the use of crooks. Public information when aggregated should also be give additional security hurdles t0 get in bulk. They should get the same protections as other sensitive information and hackers.

Can you support that with hard evidence, or are you merely regurgitating the usual conservative talk radio twaddle?

Even if your statement is true, refundable tax credits probably have little, if anything, to do with the matter at hand, namely tax return fraud, especially at the state level.

Remember that ALL of the income data the perps enter on the fraudulent returns are COMPLETELY FABRICATED. Claiming ANY of the common refundable tax credits, e.g. Earned Income Credit (EIC), Child Tax Credit (CTC), American Educational Opportunity Credit (AOC), on a fraudulent return would require a LOT MORE messing around in order to get the numbers to come out right and obtain a reasonable result. Moreover, EXTRA data would be required in many cases, such as a valid SSN for any dependents claimed (EIN and CTC), and a plausible 1098T for AOC.

Much faster and easier for the perps to cobble up a W-2 that shows a substantial overpayment, claim that as a refund a 1040EZ, and DONE. Even more so for state returns, which typically offer fewer (and smaller) refundable tax credits than federal returns.

The tax credits from alternative sources are going to get attacked because the simple 1040EZ stuff is something that every scammer is going to try on a first go round, and the IRS internal security team knows it. But validating obscure farm credits probably hasn’t gotten as much attention.

The technology exists to defeat these thieves and it would be extremely cost-effective to implement. The real obstacle is that the IRS is underfunded and not allowed by Congress to change its antiquated rules.

If the IRS would use even rudimentary KYC procedures, like all banks and prepaid issuers must use for account-openings, the majority of fraudulent refunds would never be sent out. If they used ALL the KYC procedures available and matched against their own historic data, practically 100% of tax refund fraud would be eliminated.

The ones saying beat them to the punch and file early or make sure you owe them money is no protection unless things have really have changed. I got audited because someone filed amended returns to and claimed “business expences” for the previous 3 years taking my income to 0, and in one year, which tiggered the audit, took 57k in deductions on 54k in income. These were from stolen retuns from an accountant I used. In some of the returns to bump up the returns the base numbers did not even match the originals.